New Regulatory Landscape for Sensitive Data Transfers: DOJ’s Proposed Rulemaking
In a significant move that underscores the growing concerns over national security and data privacy, the Department of Justice (DOJ) National Security Division has published a Notice of Proposed Rulemaking (NPRM) aimed at regulating transactions involving the transfer of sensitive U.S. data to designated “countries of concern,” including China and Russia. This proposed rule, set to be published in the Federal Register on October 29, 2024, will have far-reaching implications for businesses operating in the U.S. and engaging in cross-border transactions.
Understanding the Proposed Rule
The NPRM introduces a new regulatory framework that will affect vendor engagements, employment agreements, investment activities, and any other transactions where U.S. businesses grant access to sensitive data to entities from countries deemed a threat to national security. The rule specifically targets several categories of sensitive data, including:
- Human genomic data of more than 100 U.S. persons
- Biometric identifiers and precise geolocation data of more than 1,000 U.S. persons
- Personal health data and personal financial data of more than 10,000 U.S. persons
- Covered personal identifiers of more than 100,000 U.S. persons
Under this new regime, certain transactions will be prohibited without a license, while others may proceed if they meet specific cybersecurity standards. The DOJ will gain substantial investigative and enforcement powers, including the ability to conduct audits, issue civil investigative demands, and initiate criminal inquiries.
Background and Rationale
The NPRM follows President Biden’s Executive Order 14117, issued on February 28, 2024, which aims to mitigate risks associated with foreign access to sensitive personal data and government-related information. The proposed rule builds on earlier guidance provided in an Advance Notice of Proposed Rulemaking (ANPRM) released earlier this year, which outlined the DOJ’s intentions to regulate data transactions that could potentially harm U.S. national security.
The NPRM identifies six “countries of concern”: Russia, Iran, China, North Korea, Venezuela, and Cuba. The rule defines a “country of concern” as any foreign government that has engaged in conduct significantly adverse to U.S. national security and poses a risk of exploiting sensitive data.
Key Definitions and Categories
The proposed rule categorizes sensitive data into six distinct types:
- Covered Personal Identifiers: Data that can be linked to an individual.
- Precise Geolocation Data: Data that identifies an individual’s location with high accuracy.
- Biometric Identifiers: Physical characteristics used for identity verification.
- Human Genomic Data: Data representing genetic sequences.
- Personal Health Data: Information related to an individual’s health status or healthcare provision.
- Personal Financial Data: Data concerning an individual’s financial transactions and status.
The rule also outlines what constitutes “government-related data,” imposing strict limitations on its transfer to covered persons.
Prohibited and Restricted Transactions
The NPRM defines a “covered data transaction” as any transaction that involves access to government-related data or bulk sensitive personal data. This includes data brokerage, vendor agreements, employment agreements, and investment agreements. Transactions that fall under these categories pose significant risks to national security, as they may enable malicious activities by entities from countries of concern.
Certain transactions will be outright prohibited, particularly those that could allow covered persons to access sensitive personal data. For instance, a U.S. subsidiary of a foreign company that develops an AI chatbot trained on sensitive U.S. data could face severe penalties if it licenses that technology to covered persons.
Conversely, some transactions may be authorized if they comply with specific cybersecurity requirements established by the Cybersecurity and Infrastructure Security Agency (CISA). These requirements include organizational cybersecurity policies, data minimization practices, and encryption standards.
Exemptions and Compliance
The proposed rule does provide exemptions for certain types of data transactions, such as personal communications, corporate group transactions, and those authorized by federal law. However, businesses must remain vigilant and ensure compliance with the proposed security requirements to avoid penalties.
Violations of the proposed rule could lead to severe consequences, including civil and criminal penalties. The maximum civil penalty could reach $368,136 or double the transaction amount, while criminal penalties could involve fines up to $1 million or imprisonment for up to 20 years.
Implications for Businesses
The introduction of this proposed rule will significantly impact how U.S. companies engage in cross-border transactions involving sensitive data. Organizations will need to reassess their vendor agreements, employment contracts, and investment strategies to ensure compliance with the new regulatory framework. This may involve implementing robust compliance programs that include transaction diligence and data retention policies.
While the proposed rule aims to protect U.S. national security, it also raises concerns about the potential chilling effect on international business operations and data flows. Companies must navigate this complex regulatory landscape carefully to mitigate risks and ensure compliance.
Conclusion
As the DOJ prepares to implement this new regulatory framework, businesses must stay informed and proactive in their compliance efforts. The NPRM represents a significant shift in how sensitive data transactions will be regulated, and organizations must adapt to these changes to safeguard their operations and protect national security. For ongoing updates and insights into privacy and cybersecurity law developments, businesses are encouraged to subscribe to relevant legal blogs and resources.